ModSecurity VS CraftCMS

First of all, if you have any experience with Traefik, I'd suggest you to do the reverse proxy stuff with it and install the Crowdsec instance along it. As I didn't have experience using Traefik I went with NPM but now I guess it would have been easier considering the research I had to do... Another reason is, I wanted to implement a geo block and/or another security layer by using ModSecurity (https://github.com/SpiderLabs/ModSecurity ) besides Crowdsec too. Afaik Traefik has a plugin that integrates ModSecurity easily - unless NPM.

I don't know about Blackboard, but Moodle will allow quizzes to be run in popups that block most extensions from working; lockdown browsers will block such extensions; and, if you have access to the server, a modified firewall (e.g., ModSecurity) may\* allow blocking this and similar extensions.

> ModSecurity for WAF: https://github.com/SpiderLabs/ModSecurity

This might be of interest to some: https://www.modsecurity.org/

> Trustwave is announcing the End-of-Life (EOL) of our support for ModSecurity effective July 1, 2024. We will then hand over the maintenance of ModSecurity code back to the open-source community.

Probably not too big of a deal, though.

Also, this might be useful: https://owasp.org/www-project-modsecurity-core-rule-set/

Though there has been some critique of ModSecurity and that ruleset in the past, as something dated and with false positives.

Anyone have any good alternatives?

Is there a reason no one hasn't made a Docker template for OWASP Coraza (https://github.com/corazawaf/coraza) or ModSecurity (https://github.com/SpiderLabs/ModSecurity) for the use of a reverse proxy?

Since Nginx has different use cases, protecting your application depends on how and where you use it. It's recommended that you have a reliable WAF solution since they block most harmful requests in the first place. In this article, you'll compare three tools—ModSecurity, F5 Nginx App Protect, and open-appsec—based on their active development, advanced security features, and open source commitment to help you figure out which tool is right for you.

I'm currently erring toward ModSecurity & the Nginx connector now that it's been de-Apache'd.

Is anyone on HN doing WordPress administration? I recently 'inherited' a webshop built on WP/WooCommerce, and all the conflicting security advice in the WP space is making my head spin.

There are a dozen competing 'security' plugins, with some saying 'you don't need any of them, WP is secure enough by default', and others saying 'you actually need ModSecurity [1] / Jeff Starr's nG firewall [2]'.

The agency that (shoddily...) built the webshop installed Wordfence Free [3], so I've just kept that for now, though I feel it's kind of slow (but that might just be caused by the bottom-of-barrel performance of the shared webhost it's currently running on).

[1] https://github.com/SpiderLabs/ModSecurity

[2] https://perishablepress.com/7g-firewall/

[3] https://www.wordfence.com/

By Web Firewall did you mean smth like this ?

The most typical approach is having a CMS admin panel sit somewhere on the server; everyone with an account uses this. This is a very convenient approach, especially when working with a team. This way, many people can work on different articles simultaneously without worrying about potential conflicts or overwriting stuff. The only con is related to security - everyone can try to get inside, and if you forget to update our CMS or some user have a weak password, it can be someone outside of our team. WordPress, Drupal, CraftCMS, or Ghost are perfect examples of such CMSs.

I checked one website in that list, it uses CraftCMS, which apparently has htmx bundled. (https://github.com/craftcms/cms/tree/main/src/web/assets/htm...)

Would be interesting to know which other CMS'es make use of htmx (and to what degree).

PHP has a lot of top tier CMSes. IMHO bunch of them are even better than Statamic. Craft CMS (https://craftcms.com/) is a lot more mature database based CMS. Kirby (https://getkirby.com/) is better at flat-file and has a lot better admin interface. Twill (https://twillcms.com/) is better integrated in Laravel and is fully open-source. Statamic mostly feels like it's sitting besides Laravel and they call themselves Laravel based for marketing.

You're basically looking for any CMS that supports headless mode. E.g. Strapi (https://strapi.io/, NodeJS based), CraftCMS (https://craftcms.com/, PHP based) or countless others.

Craft CMS

It's built on Craft CMS. Makes the relationships between elements (a match and a player, for example) super easy.

Is there a reason you aren’t using an existing CMS? There’s a lot that provide all the UI functionality you are talking about and then expose it via a API to be consumed in your front end. https://craftcms.com is one option I’ve had good success with.